From: Artem Boldariev Date: Thu, 30 Nov 2023 19:35:20 +0000 (+0200) Subject: Add TLS cipher suites configuration option to BIND X-Git-Tag: v9.19.22~86^2~7 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3818c58bf6c20831dfc580c33c66b910141ce268;p=thirdparty%2Fbind9.git Add TLS cipher suites configuration option to BIND This commit extends the 'tls' statement with 'cipher-suites' option. --- diff --git a/doc/misc/options b/doc/misc/options index ac5dd667946..edf6fb04afb 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -350,6 +350,7 @@ statistics-channels { tls { ca-file ; cert-file ; + cipher-suites ; ciphers ; dhparam-file ; key-file ; diff --git a/lib/isccfg/check.c b/lib/isccfg/check.c index 8c8f7b6df7e..c4e09f1c883 100644 --- a/lib/isccfg/check.c +++ b/lib/isccfg/check.c @@ -2131,7 +2131,8 @@ check_tls_defintion(const cfg_obj_t *tlsobj, const char *name, isc_log_t *logctx, isc_symtab_t *symtab) { isc_result_t result, tresult; const cfg_obj_t *tls_proto_list = NULL, *tls_key = NULL, - *tls_cert = NULL, *tls_ciphers = NULL; + *tls_cert = NULL, *tls_ciphers = NULL, + *tls_cipher_suites = NULL; uint32_t tls_protos = 0; isc_symvalue_t symvalue; @@ -2246,6 +2247,20 @@ check_tls_defintion(const cfg_obj_t *tlsobj, const char *name, } } + /* Check if the cipher suites string is valid */ + tresult = cfg_map_get(tlsobj, "cipher-suites", &tls_cipher_suites); + if (tresult == ISC_R_SUCCESS) { + const char *cipher_suites = cfg_obj_asstring(tls_cipher_suites); + if (!isc_tls_cipher_suites_valid(cipher_suites)) { + cfg_obj_log( + tls_cipher_suites, logctx, ISC_LOG_ERROR, + "'cipher-suites' in the 'tls' clause '%s' is " + "not a valid cipher suites string", + name); + result = ISC_R_FAILURE; + } + } + return (result); } diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 10aa92ee229..625edc7f4f1 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -3971,6 +3971,11 @@ static cfg_clausedef_t tls_clauses[] = { { "dhparam-file", &cfg_type_qstring, 0 }, { "protocols", &cfg_type_tlsprotos, 0 }, { "ciphers", &cfg_type_astring, 0 }, +#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES + { "cipher-suites", &cfg_type_astring, 0 }, +#else + { "cipher-suites", &cfg_type_astring, CFG_CLAUSEFLAG_NOTCONFIGURED }, +#endif { "prefer-server-ciphers", &cfg_type_boolean, 0 }, { "session-tickets", &cfg_type_boolean, 0 }, { NULL, NULL, 0 }